Skills
skills/richfrem/project_sanctuary/create-agentic-workflow/Gen Agent Trust Hub

create-agentic-workflow

Fail

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/scaffold_agentic_workflow.py is vulnerable to command injection. The --kill-switch parameter is interpolated directly into a shell command within the generated GitHub Actions YAML file (.github/workflows/name-agent.yml) using an f-string without any sanitization or escaping. A malicious input could escape the grep command and execute arbitrary shell commands within the GitHub Actions runner environment.
  • [REMOTE_CODE_EXECUTION]: The skill programmatically generates and writes executable content, including GitHub Actions workflows and Python scripts. These generated workflows are configured to download the @github/copilot CLI and execute it with the shell tool enabled, allowing the agent to perform arbitrary command execution on the runner based on the persona instructions.
  • [DATA_EXFILTRATION]: The generated workflows are configured with elevated repository permissions (pull-requests: write, issues: write) and utilize the COPILOT_GITHUB_TOKEN secret. This high-privilege environment poses a risk if an agent persona is compromised or if the source skill used for scaffolding contains malicious instructions, as it could lead to data theft or unauthorized repository modifications.
  • [PROMPT_INJECTION]: The skill exhibits a surface for Indirect Prompt Injection. It scaffolds agents that derive their system instructions from local Markdown files (.agent.md), which are then used as prompts for the Copilot CLI in an environment where powerful system tools (read, write, shell) are active.
  • Ingestion points: The generated workflow in scripts/scaffold_agentic_workflow.py reads content from .github/agents/{name}.agent.md into the agent's prompt.
  • Boundary markers: Absent; instructions are concatenated directly into the prompt string.
  • Capability inventory: The Copilot CLI is invoked with read, write, and shell tool permissions.
  • Sanitization: Absent; the script does not validate or sanitize the source skill content before it is used to generate the agent's persona.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 24, 2026, 08:28 AM
Security Audit — agent-trust-hub — create-agentic-workflow